Friday, May 18, 2012

Do You Want To Allow Changes?

If you've used Windows for any length of time, you're familiar with the pop-up box that asks: Do you want to allow this program to make changes to your computer? One of the most commonly asked questions is: How do I know when to click Yes and when to click No? The first step to determining the answer to this question is to understand why this box is popping up in the first place.
The simplest answer as to why that box keeps popping up is that is attempting to stop your computer from installing malware without you knowing. Traditionally, viruses and other malware would piggyback on a file that you wanted to download in order to get into your computer. Once downloaded, the malware would begin running processes in the background to embed itself deep within your system. Microsoft has attempted to stop this by building a protection into Windows called User Account Control (UAC). UAC is designed to force any program that is trying to change how your system runs to ask your permission before it's allowed access. This limits the amount of damage that a virus can do without alerting you that it's there. The trick is to know when that box pops up if it's something that you made happen, or if a background program made it pop up. Once we determine that it's a background program, we can figure out if it's something that is malicious, or if there's a legitimate reason for that program to change your system.
First, let's rule out the possibility that you triggered the UAC box to pop up with something that you're doing. Here's a list of actions that will cause that box to pop up:

  • Running an Application as an Administrator
  • Changes to system-wide settings or to files in %SystemRoot% or %ProgramFiles%
  • Installing and uninstalling applications
  • Installing device drivers
  • Installing ActiveX controls
  • Changing settings for Windows Firewall
  • Changing UAC settings
  • Configuring Windows Update
  • Adding or removing user accounts
  • Changing a user’s account type
  • Configuring Parental Controls
  • Running Task Scheduler
  • Restoring backed-up system files
  • Viewing or changing another user’s folders and files
  • Running Disk Defragmenter

Running any utilities such as Ccleaner or Defraggler will trigger the box because these programs are designed to perform one or more of these actions. Were you running any utilities immediately before seeing that box pop up? If so, there's a good chance that you triggered the UAC. In this case, the system is just checking to make sure that you're aware of what you're doing.
If you didn't try to perform any of the listed actions and weren't opening a utility program, then we know that a background process caused the box to pop up. Now we have to determine if that process is malicious. The easiest check to do is to check the program name and publisher listed in the pop-up box. Is it something that you recognize and know is safe such as Adobe, Java or Firefox? Is your antivirus trying to update itself to keep you safe from new threats? If it's a name that you know and trust, it's probably OK to go ahead and allow the action. If you don't recognize the name and publisher, or if the publisher is listed as Unknown then we may have an issue. If you've recently downloaded or installed a program that you wouldn't expect to change your Windows settings and it pops up a box, this is an indication that it may be malicious. This is an instance where you probably want to deny access.
Once you've decided that the program listed in the box is suspicious, the easiest action is to run a simple Google search. In most cases, you aren't the first person to encounter this issue. Other people have taken to the Internet to find out what this program is and why it's trying to access your computer. If it's something malicious, you'll see immediately see red flags in your Google search such as pages titled Virus, Spyware or Adware. One of the most common malware programs that we encounter is a toolbar called CouponBar. When I type CouponBar into Google, in the first page of results I see: Virus Warning!, an adware program..., (adware. couponbar), How do i remove the coupon bar adware from my computer?, and pages on and In all, 6 out of the first 10 pages listed refer to some form of malware, either in the title, the description, or the page's address. The other 4 are offers to download CouponBar. This tells me that even if I installed CouponBar on purpose I probably shouldn't grant it access to my system. Other searches, such as a search for msiexec.exe will not be so obvious. Some sites indicate that it may be malware, while other sites indicate that it may be part of the Windows operating system. In cases like this, it's safest to deny the program access and consult somebody that's more familiar with computers. Let them know what you were doing when the box popped up, what exactly the box said, and what programs were running. This way they'll have the tools to diagnose your system and tell whether your system was performing scheduled maintenance, or if you have malware masquerading as a benign system process.
As always, the safest bet is to have an up-to-date version of an anti-malware program running at all times. That way most threats should be neutralized before that pop-up window ever appears. UAC is a system that was developed by Microsoft to make it harder to invade your system, but it's not a catch all. Malware developers have come up with ways to circumvent this feature. The easiest way for them to do that is to trick you into clicking Yes on that pop-up box. Hopefully, we've given you some tools that will allow you to know when it's safe to say Yes, and when you need to dig a little deeper.

No comments:

Post a Comment